There’s a fairly in depth article at BusinessWeek that goes into click fraud and what is being done about it. Once upon a time I used to work for one of the very first banner advertizers on the web, so I am personally very familiar with how click fraud works and how to stop it. In fact, when I started, we were seeing numbers in the 10-20% range of fraud and when I left, we saw less than 1% fraud. Still, if you consider that that could account for millions of impressions and hundreds of thousands of clicks it’s still a huge number that advertisers don’t want to shoulder in expense.

First of all, let me get my rant out of the way. Banner advertizing (not text based, just the images) is highly flawed. The advertizers will ask you to create a banner that his highly attractive to consumers (like hit the monkey) the problem with that is that they create a huge amount of clickthroughs which is great for the banner advertizing companies, but it’s terrible for the advertizers because they don’t make any money off of it. Unqualified leads aren’t worth anything. It is really in your best interest to make the most ugly banner possible, that no one would ever want to click on unless they knew for a fact that money would immediately be withdrawn from their account. Anyway, sorry for the rant.

Okay, so how do banner advertizers catch you? Well without disclosing everything, there are a few key things to remember. First of all is ratios. If your ratios get extremely out of whack (over 1% clickthroughs/impressions) it’s highly likely that you are fraudulent.

Second, you are exposing only what your browser exposes (referring URLs, user agents, etc…). So if you expose the same thing over and over, or fail to do so, your ratios are off in that way too.

Third is cookies. For repeat users, you probably should have a series of cookies. Chances are you have had a cookie set by one of the banner advertizers. If for some reason none of your traffic ever send a valid cookie twice, that looks bad. Then there is the inifinite monkey thing, where they set up fake advertizers with free contests. If they never see anyone click on the free contest to win a plasma TV then they know your traffic is fake (in an infinite monkey with infinite typewriters situation). Think about click fraud detection as anomaly detection.

Of course, with the advent of Flash and JavaScript as a delivery mechanism instead of just images, now you have a lot more insight into the page the image is located at and the user who is viewing it. All the things in my tracking post below are possible candidate, plus all the JavaScript environmental variables like screen resolution etc… are exposed. Click on the environmental variables page to see what I’m talking about (with JavaScript turned on). In this way the advertizers have access to a lot of personal information about you that cannot be forged by simply changing an IP address.

So what does this mean for modern click fraud? Well most of this stuff has been known by me and a few others for almost a decade now, but it hasn’t trickled to some of the bigger advertizing companies yet - plus it is non-trivial to build in some cases. You can view the JavaScript source of Overture or Adwords to see what they are logging (if you can decipher their JavaScript), but the flash movies are a touch harder, as they are really truely dynamic. The nice thing about JavaScript and Flash as a delivery mechanism is that you aren’t static. You are running a remote peice of JavaScript that you have no control over on your page. Is that a good idea? Do you trust anyone to control any website you put their content on? This is the definition of XSS, only you have to trust the website it resides on.

It can be done under the guise of understanding what is on the page so you can do targeting, but in the end they are doing data collection. They want to know what is on the page, who is calling it, and if they are committing some form of fraud. The trick is that they have only recently been figuring this out, as you can see by the statistics of how much they are paying out in fraud loss. In fact it was mentioned as one of the main ways that Google could fail as a business model. Having worked in the industry and invented a lot of the technology I’m talking about, I really have no opinion about it. Lots of it is flawed, which is why I quit - click fraud prevention is just too flawed.

This entry was posted
on Monday, August 21st, 2006 at 8:47 am and is filed under Webappsec, Random Security.
Responses are currently closed, but you can trackback from your own site.

4 Responses to “Click Fraud”

[…] This is a user who has been on the site off and on for quite some time, so it is not in regard to any of the near recent past events, and in fact found me through a link talking about the imagecrash script. So I’m not exactly sure what the impetus was other than perhaps there is some clue in the post he looked at immediately before going crazy - the click fraud post. I can’t really see why click fraud would burn this user up, but there you have it. […]

[…] Rsnake has an article about click fraud where he noted that “we were seeing numbers in the 10-20% range of fraud” for unprotected systems. His conclusion goes even further to say that “click fraud prevention is just too flawed.” […]

I probably should point out, since Quads called me out on it, that I was referring only to CPC (which was the business model of the company I worked for). But yes, I agree with his statement on CPM banner ads. That’s particularly true for traffic/click-through arbitrage - in that case there’s definitely money to be made still.